UK defense ministry loses 600,000 IDs on laptop

Another screw-up for British government security practices. From Ars Technica:

A laptop that was stolen from the car of a military recruitment officer contained information about approximately 600,000 people, most of whom were prospective recruits. The database stored on the laptop was not encrypted—a significant violation of MOD data handling policies.

The records, the earliest of which date back to 1997, primarily consisted of names and basic contact information, but more sensitive data—such as passport information, National Health Service numbers, medical details, and drivers' license numbers—were included for 153,000 individuals. Financial and banking information of approximately 3,700 people was also stored on the laptop.

Lack of encryption is a violation of policies which were not followed. Defense Secretary Des Browne vowed to investigate and improve training on following the proper procedures.

But Ars properly notes:

As we have seen many times in the past, even the strictest policies aren't always effective at combating these kinds of data breaches. The frequency with which these situations occur indicates a very clear need to reevaluate the manner in which data is stored, transported, and retained. The impact of data breaches could be minimized if data retention policies are established mandating disposal of information that is no longer actively used.